Users can be authenticated either internally by NetScaler MAS, externally by an authenticating server, or both. If local authentication is used, the user must be in the NetScaler MAS security database. If the user is authenticated externally, the user's "external name" should match the external user identity registered with the authenticating server, depending on the selected authentication protocol.
NetScaler MAS supports external authentication by means of RADIUS, LDAP and TACACS protocols. This unified support provides a common interface to authenticate and authorize all the local and external authentication, authorization and accounting (AAA) server users who are accessing the system. NetScaler MAS can authenticate users regardless of the actual protocols they use to communicate with the system. When a user attempts to access a NetScaler MAS implementation that is configured for external authentication, the requested application server sends the user name and password to the RADIUS, LDAP or TACACS server for authentication. If the authentication is successful, the corresponding protocol is used to identify the user in NetScaler MAS.
You can authenticate your users in NetScaler MAS in two ways:
- By using NetScaler MAS local servers
- By using external authentication servers
The following flow chart shows the workflow to follow when you are authenticating local or external users:
Configuring External Authentication Servers
NetScaler MAS supports various protocols to provide external Authentication, Authorization, and Accounting (AAA) services.
NetScaler MAS sends all authentication, authorization, and accounting (AAA) service requests to the remote RADIUS, LDAP, or TACACS+ server. The remote AAA server receives the request, validates the request, and sends a response back to NetScaler MAS. When configured to use a remote RADIUS, TACACS+, or LDAP server for authentication, NetScaler MAS becomes a RADIUS, TACACS+, or LDAP client. In any of these configurations, authentication records are stored in the remote host server database. Login and logout account name, assigned permissions, and time-accounting records are also stored on the AAA server for each user.
Additionally, you can use the internal database of NetScaler MAS to authenticate users locally. You create entries in the database for users and their passwords and default roles. You can also create groups of servers for specific types of authentication. The list of servers in a server group is an ordered list. The first server in the list is always used unless it is unavailable, in which case the next server in the list is used. You can configure servers of different types in a group, and you can also include the internal database as a fallback authentication backup to the configured list of AAA servers.
Configuring a RADIUS Authentication Server
You can configure NetScaler MAS to authenticate user access with one or more RADIUS servers. Your configuration might require using a network access server IP (NAS IP) address or a network access server identifier (NAS ID). When configuring NetScaler MAS to use a RADIUS authentication server, use the following guidelines:If you enable use of the NAS IP address, the appliance sends its configured IP address to the RADIUS server, rather than sending the source IP address used in establishing the RADIUS connection.
- If you configure the NAS ID, the appliance sends the identifier to the RADIUS server. If you do not configure the NAS ID, the appliance sends its host name to the RADIUS server.
- If you enable the NAS IP address, the appliance ignores any NAS ID that is configured, and uses the NAS IP to communicate with the RADIUS server.
To configure a RADIUS authentication server
- In NetScaler MAS, navigate to System > Authentication > RADIUS.
- On the RADIUS page, click Add.
- On the Create RADIUS Server page, set the parameters and click Create to add the server to the list of RADIUS authentication servers. The following parameters are mandatory:
- Name. Name of the RADIUS server.
- IP Address. IP address of the RADIUS server.
- Port. By default, port 1812 is used for RADIUS authentication. You can specify a different port number if necessary.
- Time-out (seconds). Time, in seconds, that the NetScaler MAS system waits for a response from the RADIUS server.
- Secret Key. Any alphanumeric expression. This is the key that is shared between NetScaler MAS and the RADIUS server to enable communication.
- Click Details to expand the section and set the additional parameters, and then click Create.
Configuring an LDAP Authentication Server
You can configure the NetScaler MAS to authenticate user access with one or more LDAP servers. LDAP authorization requires identical group names in Active Directory, on the LDAP server, and on NetScaler MAS. The characters and case must also match.
To configure an LDAP authentication server
- In NetScaler MAS, navigate to System > Authentication > LDAP.
- On the LDAP page, click Add.
- On the Create LDAP Server page, set the parameters and click Create to add the server to the list of LDAP authentication servers. The following parameters are mandatory:
- Name. Name of the LDAP server.
- IP Address. IP address of the LDAP server.
- Security Type. Type of communication required between the system and the LDAP server. Select from the drop-down list. If plain text communication is inadequate, you can choose encrypted communication by selecting either Transport Layer Security (TLS) or SSL.
- Port. By default, port 389 is used for LDAP authentication. You can specify a different port numberif necessary.
- Server Type. Select Active Directory (AD) or Novell Directory Service (NDS) as the type of LDAP server.
- Time-out (seconds)Time, in secondsfor which the NetScaler MAS system waits for a response from the LDAP server.
You can provide additional details. You can also validate the LDAP certificate by selecting the Validate LDAP Certificate check box and specifying the host name to be entered on the certificate. Some of the additional parameters you can add are Domain Nameserver (DN) details for queries against a directory service, default authentication group, group attributes, and other attributes.
The base DN is usually derived from the Bind DN by removing the user name and specifying the group to which the users belong. In Administrator Bind DN text box, type the administrator bind DN for queries to the LDAP directory.
Examples of syntax for base DN are:
Examples of syntax for bind DN are:
firstname.lastname@example.org (for Active Directory)
The group name and the name of the users that you define in NetScaler MAS must be similar to those configured on the LDAP server.
Note: While configuring a RADIUS or LDAP server, in the Details section, you can enter the name of a default authentication group. This default group is chosen to authorize the user when the authentication succeeds irrespective of the fact that the user is tied to a group or not. The user then receives a combination of permissions configured on this default group and the other groups whether the user is assigned to the group or not.
Configuring TACACS Authentication Servers
TACACS, like RADIUS and LDAP, handles remote authentication services for network access.
Configuring a TACACS authentication server
- In NetScaler MAS, navigate to System > Authentication > TACACS.
- On the TACACS page, click Add.
- On the Create TACACS Server page, enter the following details:
- Name of the TACACS server
- IP address of the TACACS server
- Port and timeout (in seconds)
- The key that is shared by the system and the TACACS server for communication.
- Click Create.
Configuring Local Authentication of Users in NetScaler MAS
If you are using local authentication, create users and then add them to groups that you create on NetScaler MAS. After configuring users and groups, you can apply authorization and session policies, create bookmarks, specify applications, and specify the IP address of file shares and servers to which users have access.
To configure local authentication in NetScaler MAS
- In NetScaler MAS, navigate to System > Authentication, and click Authentication Configuration.
- On the Authentication Configuration page, select LOCAL from the Server Type drop-down box, and click OK.
Configuring External Authentication in NetScaler MAS
When you configure external authentication servers in NetScaler MAS, the user groups that are authenticated on those external servers are imported into NetScaler MAS. You do not need to create users on NetScaler MAS. The users are managed on the external servers from NetScaler MAS. But you must ensure that the permission levels that the user groups have on the external authentication servers are maintained in NetScaler MAS. NetScaler MAS performs the authorization of users by assigning group permissions for access to specific load balancing virtual servers and to specific applications on the system. If an authentication server is later removed from the system, the groups and users will be automatically removed from the system.
To configure external authentication in NetScaler MAS
- In NetScaler MAS, navigate to System > Authentication > Authentication Configuration.
- On the Authentication Configuration page, select EXTERNAL from the Server Type drop-down list.
- Click Insert.
- On the External Servers page select an authentication server. Optionally, you can select multiple authentication servers to cascade.
Note: Only external servers can be cascaded.
- Click OK to close the page.
The selected servers are displayed on the Authentication Servers page.
You can also specify the order of authentication by using the icon next to the server names to move servers up or down the list.
Configuring Groups in NetScaler MAS
NetScaler MAS allows you to authenticate and authorize your users by creating groups and adding the users to the groups. A group can have either "admin" or "read-only" permissions and all users in that group will receive equal permissions.
In NetScaler MAS, a group is defined as a collection of users having similar permissions. A group can have one or multiple roles. A user is defined as an entity that can have access based on the permissions assigned. A user can belong to one or more groups.
You can create local groups in NetScaler MAS and use local authentication for the users in the groups. If you are using external servers for authentication, configure the groups on NetScaler MAS to match the groups configured on authentication servers in the internal network. When a user logs on and is authenticated, if a group name matches a group on an authentication server, the user inherits the settings for the group on NetScaler MAS.
After you configure groups, you can apply authorization and session policies, create bookmarks, specify applications, and specify the IP addresses of file shares and servers to which the user has access.
If you are using local authentication, create users and add them to groups that are configured on NetScaler MAS. The users then inherit the settings for those groups.
Note: If the users are members of an Active Directory group, the name of the group and the names of the users on NetScaler MAS must be the same as in the Active Directory group.
To configure user groups in NetScaler MAS
- In NetScaler MAS, navigate to System > User Administration > Groups.
- On the Groups page, click Add to create a group. By default, two groups are created in NetScaler MAS, with permissions set to admin and read only. You can add your users to these groups, or you can create other groups for your users.
- On the Create System Group page, type the name of the group, and set permissions either as admin or read-only.
Note: Make sure that the name of the user group created on NetScaler MAS is the same as as on the external authentication servers. If not, the system will not recognize the group, and the group members will not be extracted into the system.
4. In the Users table, select the users that you want to add to the group. The users are added to this table when you configure users in Configuring Users in NetScaler MAS. Another option that you can configure is Session Timeout, for which you can set a timeout limit for the sessions logged in the users of that group. You can also set the VM instances that can be accessed by the group members.
5. On the next screen, you can provide permissions to a particular NetScaler instance. This allows the users to access only that instance. But the users can still create a new instance in the system and manage that instance.
When you finish creating a group in the system, all the users in the external authentication server are extracted into the system. If the group name matches the group name on the external authentication server, the user inherits all the authorization definitions when logged on to the system.
Configuring Users in NetScaler MAS
You can create user accounts locally on NetScaler MAS to supplement the users on authentication servers. For example, you might want to create local user accounts for temporary users, such as consultants or visitors, without creating an entry for those users on the authentication server. If you are locally authenticating users that are present on external authentication servers, make sure that the same users are present on both the authenticating servers and NetScaler MAS.
To configure users in NetScaler MAS
- In NetScaler MAS, navigate to System > User Administration > Users.
- On the Users page, click Add to add users to NetScaler MAS.
- On the Create System User page, set the following parameters:
- User Name. Name of the user
- Password. Password that the user will use to log on to NetScaler MAS
- Enable External Authentication. Enable external authentication. if this is not enabled, the user will be authenticated as a local user.
- Configure Session Timeout. Time for which a user can remain active. This time period can be set in minutes or hours.
- In the Groups table, select the group to which to add the user. The group members are added to this table when you configure groups in Configuring User Groups in NetScaler MAS.
Note: If the users are on Active Directory, make sure that the group name in NetScaler MAS is same as the one for the Active Directory group on the external server.